from the this-is-bad dept

For years now, we've discussed the various problems with the push (led by the MPAA, but with some help from Netflix) to officially add DRM to the HTML 5 standard. Now, some will quibble with even that description, as supporters of this proposal insist that it's not actually adding DRM, but rather this "Encrypted Media Extensions" (EME) is merely just a system by which DRM might be implemented, but that's a bunch of semantic hogwash. EME is bringing DRM directly into HTML and killing the dream of a truly open internet. Instead, we get a functionally broken internet. Despite widespread protests and concerns about this, W3C boss (and inventor of the Web), Tim Berners-Lee, has signed off on the proposal. Of course, given the years of criticism over this, that signoff has come with a long and detailed defense of the decision... along with a tiny opening to stop it.

There are many issues underlying this decision, but there are two key ones that we want to discuss here: whether EME is necessary at all and whether or not the W3C should have included a special protection for security researchers.

First, the question of whether or not EME even needs to be in HTML at all. Many -- even those who dislike DRM -- have argued that it was kind of necessary. The underlying argument here is that certain content producers would effectively abandon the web without EME being in HTML5. However, this argument rests on the assumption that the web needs those content producers more than those content producers need the web -- and I'm not convinced that's an accurate portrayal of reality. It is fair to note that, especially with the rise of smart devices from phones to tablets to TVs, you could envision a world in which the big content producers "abandoned" the web and only put their content in proprietary DRM'd apps. And maybe that does happen. But my response to that is... so what? Let them make that decision and perhaps the web itself is a better place. And plenty of other, smarter, more innovative content producers can jump in and fill the gaps, providing all sorts of cool content that doesn't require DRM, until those with outdated views realize they're missing out. Separately, I tend to agree with Cory Doctorow's long-held view that DRM is an attack on basic computing principles -- one that sets up the user as a threat, rather than the person who owns the computer in question. That twisted setup leads to bad outcomes that create harm. That view, however, is clearly not in the majority, and many people admitted it was a foregone conclusion that some form of EME would move forward.

The second issue is much more problematic. A bunch of W3C members had made a clear proposal that if EME is included, there should be a covenant that W3C members will not sue security researchers under Section 1201 of the DMCA should they crack any DRM. There is no reason not to support this. Security researchers should be encouraged to be searching for vulnerabilities in DRM and encryption in order to better protect us all. And, yet, for reasons that no one can quite understand, the W3C has rejected multiple versions of this proposal, often with little discussion or explanation. The final decision from Tim Berners-Lee on this is basically "sure a covenant not to sue would have been nice, and we think companies shouldn't sue, but... since this wasn't raised at the very beginning, we're not supporting it":

We recommend organizations involved in DRM and EME implementations ensure proper security and privacy protection of their users. We also
recommend that such organizations not use the anti-circumvention
provisions of the Digital Millennium Copyright Act (DMCA) and similar laws around the world to prevent security and privacy research on the specification or on implementations. We invite them to adopt the proposed best practices for security guidelines [7] (or some variation),
intended to protect security and privacy researchers. Others might advocate for protection in public policy fora – an area that is outside the scope of W3C which is a technical standards organization. In addition, the prohibition on "circumvention" of technical measures to protect copyright is broader than copyright law's protections against infringement, and it is not our intent to provide a technical hook for those paracopyright provisions.

Given that there was strong support to initially charter this work
(without any mention of a covenant) and continued support to
successfully provide a specification that meets the technical
requirements that were presented, the Director did not feel it
appropriate that the request for a covenant from a minority of Members
should block the work the Working Group did to develop the specification
that they were chartered to develop. Accordingly the Director overruled these objections.

This is unfortunate. What's bizarre is that the supporters of DRM basically refuse to discuss any of this. Even just a few days ago, the Center for Democracy and Technology proposed a last-ditch "very narrow" compromise to protect a limited set of security and privacy researchers (just those examining implementations of w3C specifications for privacy and security flaws.) Netflix flat out rejected this compromise saying that it's "similar to the proposal" that was made a year ago. Even though it's not. It was more narrowly focused and designed to respond to whatever concerns Netflix and others had.

The problem here seemed to be that Netflix and the MPAA realized that they had enough power to push this through without needing to protect security researchers, and just decided "we can do it, so fuck it, let's do it." And Tim Berners-Lee -- who had the ability to block it -- caved in and let it happen. The whole thing is a travesty.

Corry Doctorow has a thorough and detailed response to the W3C's decision that pushes back on many of the claims that the W3C and Berners-Lee have made in support of this decision. Here's just part of it:

We're dismayed to see the W3C literally overrule the concerns of its public interest members, security experts, accessibility members and innovative startup members, putting the institution's thumb on the scales for the large incumbents that dominate the web, ensuring that dominance lasts forever.

This will break people, companies, and projects, and it will be technologists and their lawyers, including the EFF, who will be the ones who'll have to pick up the pieces. We've seen what happens when people and small startups face the wrath of giant corporations whose ire they've aroused. We've seen those people bankrupted, jailed, and personally destroyed.

This was a bad decision done badly, and Tim Berners-Lee, the MPAA and Netflix should be ashamed. The MPAA breaking the open internet I can understand. It's what that organization has wanted to do for over a decade. But Netflix should be a supporter of the open internet, rather than an out and out detractor.

As Cory notes in his post, there is an appeals process, but it's never been used before. The EFF and others are exploring it now, but it's a hail mary process at this point. What a shame.

Re:

Re:

Of course, the ideal solution is to fix this as a matter of law, which EFF is also working on.

What I've seen from them has been purely "defensive". It's good, but we could use some offense too--like a proposal to make it a crime to interfere with fair use. Leave DRM technically legal, as long as the implementors figure out the "magic" way to block only illegal uses of the copyrighted material.

Re:

Two problems with this:1) Laws are not global, while the web is. At best you'll end up with competing laws all over the place which is already a mess with existing standards. Adding another layer won't make that better.

2) Lawmakers in many -- perhaps most -- countries seem to be firmly in the pockets of the people pushing DRM. That is, you're more likely to see "DMCAv2.0 now with even more consumer rights destruction!" than you are to see a pro-consumer law. Not that the latter _couldn't_ happen, but its not the most likely outcome should politicians start digging their hands into the situation.

Re:

Re: Re: Stealing?

The objection to DRM has nothing to do with the ability to steal products, for me it's more to do with the fact I want to have the right to do what I want with what I've bought.

If I want to convert a file so it can play on a device of mine I should be allowed to do so, I don't see why I should be beholden to using a set of approved devices just so I can do that.

DRM has been shown time and time again not to work and if anything have a bigger impact for legimate customers where as pirates get a better experience. (https://arstechnica.co.uk/gaming/2017/06/rime-denuvo-cracked-faster/)

Also as has been said elsewhere DRM will section off a part of your system which you will no longer have control over, part of which will be your browser, given the issues with browser exploits being used to turn machines in to drones for botnets, take over the brower experience or do download more nefarious things such as Cryptoware I would rather these not be locked in to a DRM safe zone where I can't remove them or prevent them in the first place, just for a minute, think of the damage that could be done if some malicious code were to be in some advert as they are now, but this time it's protected by DRM so your AV, Malware protection or whatever can't see or stop it, just think of the damage this could do wide scale.

Convert what file?

Content viewed over the web is, by definition, streaming content and therefore is transitory. There's no file to buy or convert. The arguments against DRM for, say, e-books, or downloaded music do not apply here.

There certainly ARE arguments against web-based DRM, but the "I want control in perpetuity over the content I paid for" isn't one of them.

Re: Convert what file?

I will agree with you in what you said, my view of DRM still stands, I should have clarified that I was talking of DRM in general to get my point over of why it's just a tool for control of content more than anything else and how it causes more harm and such than any benefits it brings.

The other things I mentioned about the likes of the brower being in a DRM enviroment where code is downloaded and run without your control or intervention opens you up to many many risks.

Time to Freeze Out the w3c

The last time the web was taken hostage by w3c (and Microsoft thanks to Internet Explorer), we had Mozilla rescue the web with new standards (nevermind the later decay Mozilla would go through the past decade).

We need an early 2000s Mozilla to shake up the web and rescue it from this time the w3c and their corporate overlords (Hollywood).

Betting pool time

Re: Betting pool time

Probably a long time, since EME isn't actually a DRM system itself -- its a container protocol to create a standard interface for third party DRM systems to pass through.

Essentially, the "breakable" parts are still proprietary and not part of the standard. The only required "encryption" scheme the standard outlines is cleartext, which doesn't really take a lot of work to crack. Beyond that, its still up to each DRM provider to come up with their own actual encryption method -- they just have to build it in a way that works with the newly defined protocol/APIs.

Re: Re:

You're right, it doesn't. However, the snark in my comment was directed at the people who are pounding away trying to get it in at all. TBL did not, to me, seem in favor of this. His words strike me more as "Oh, well, do what you want. You will anyway." than a full voiced roar of approval.

In any case, even if DRM is incorporated into HTML standards, it doesn't mean I will use it. If the content I wish to consume isn't around where I can consume it as I would like, I'll do without it.

Worse in my opinion, are licensed text books. One I was needing for a refresher cost $2,000 for a 1 year license. After that, you couldn't read the book without purchasing another license.

Re: Re: Re:

His words strike me more as "Oh, well, do what you want. You will anyway." than a full voiced roar of approval.

If he was really against it and thought that his opposition wouldn't have mattered then he should have been openly against it anyway. 'You might be able to push this through despite me, but you won't get my approval or agreement while you do it.'

That I imagine people could have respected, but his current stance of, if not agreement with the proposed inclusion of EME then at the very least an indifferent position towards it? Not so much.

Re: Re: Re:

In any case, even if DRM is incorporated into HTML standards, it doesn't mean I will use it.

The problem is that unless your browser does not incorporate support, or that support can be turned off, you have no choice in whether or not a module is loaded and run on your computer. Also, unfortunately I can see advertisers jumping on this to 'protect' their adds by increasing their ability to track people around the Internet.

Re: Re: Re: Re:

The problem is that unless your browser does not incorporate support, or that support can be turned off, you have no choice in whether or not a module is loaded and run on your computer.

If you're using a browser where it can't be turned off, and whose source code you can't modify, you've already agreed to give up control. As long as source is available, someone will release a non-DRM version. Many Linux distributions like Debian and Fedora have policies against non-free software, so they'll pretty much have to disable it if they're going to ship the browser.

Re: Re:

But his salary doesn't depend upon his not understanding it. He's Tim Berners-fucking-Lee. He could have pushed one of the compromise proposals and it wouldn't have cost him a dime.

To be fair... there have been some quiet murmurs and rumblings and rumors that... his salary kinda does depend on this. That is, the W3C, as currently structured costs a fair bit of money and at times it's been a bit hard up in finding enough support. Along come the likes of the MPAA, willing to be paying members... and things are more stable magically. So... without EME in DRM, the W3C might lose paying members like the MPAA and that might make it more difficult for it to stay in operation (at least at its current levels).

That, at least, is the story I've heard from a few people, but it may be somewhat exaggerated.

Looking for a leader

Since this is just a protocol, and not a law, aren't browsers able to forego this? I am suggesting, and betting, that one or more browser makers will forego this protocol and make themselves number one, if they aren't already. That may mean that they are no longer members of W3C, but so what?

Re: Re: Looking for a leader

I hear ya. But one of the principles of marketing is showing how one is different and better. Given some equality in other aspects, this might be the thing that brings one of those others over the top.

I do understand that 'some equality' is possibly difficult or impossible to overcome. And for me, it has to run on Linux, yet another burden.

Re: Re: Re: Re: Looking for a leader

I use Chrome and sometimes Firefox in Linux, and am not actually happy with either, this capitulation being part of my disappointment. I do not use them to watch much video, the occasional YouTube or Vimeo video in connection with some article. Icecat and other Linux only browsers don't do it for me either.

I have my own sources for video and music and books (using OpenElec for video and music and Open Reader (Android) for reading), and have not violated any laws in my collecting these (recording off the air is not illegal). If I cannot get it legally, I don't view, listen, or read. At the same time I don't think there is anything wrong with torrents, there is nothing out there that I might want to watch, listen to, or read, that I cannot get from the library for the same cost to me. The hysteria of the copyright middlemen is out of control, but it hasn't stopped me, and won't, though I may miss out on some new content, again, so what.

Could I live just re-reading Shakespeare or other public domain works for the rest of my life? It might just take me that long to actually understand all that was said. Much of it is quite deep. But I do look for entertainment, even if it is just background noise to some degree, and not nearly as deep.

Re: Re: Re: Re: Re: Looking for a leader

I understand, and, like I said, my hat's off to you. I'm just saying that most people have a different set of priorities than you do, and I can't see a path to a browser advertising itself as EME-free and getting more pickup that way until some kind of crisis occurs -- some EME implementation has a major data leak, or there's a major security compromise, or becomes associated with major performance/stability/battery issues, or something along those lines.

Re: Re: Re: Re: Re: Looking for a leader

I am heavily against DRM and do not support EME, but I don't want my browser deciding what parts of a protocol they're going to implement. I have no issue with Firefox lobbying W3C to drop this "feature" but if it's in the protocol, I expect them to implement it.

I know since we're talking about DRM, it's really easy to support Firefox and Chrome ignoring EME, but if we leave it up to the browsers, we'll have another IE6 fiasco all over again. Protocols and standards (especially open ones) have been beneficial to the internet's growth and I support them wholeheartedly, but the browsers should not be deciding this. Otherwise, what's the point of having and agreeing to a protocol at all.

Re: Re: Re: Re: Looking for a leader

Yeah, I still know no one who uses IceWeaselCat or SeaMonkey. Never mind for anti-EME reasons on the Debian Linux side of things. And good chance the OS is going to enforce something chosen against with a browser, if there were a such browser in the win10/osx world.

Re: Re: Looking for a leader

I still use Konqueror. There are places with broken HTML that it doesn't like, so I don't go there. It's like driving a Ferrari; it doesn't like bad roads much. But it's so fast that running Chrome or Firefox feels like your computer just turned into a 286, and its built-in support for ad blocking and bad hosts is so convenient, every time I've tried moving to a more mainstream browser, I wound up going back to Konqueror.

"Speed thrills."

[bear in mind, my first browser was NCSA Mosaic on SCO V, before it became Netscape...]

Section 1201

there should be a covenant that W3C members will not sue security researchers under Section 1201 of the DMCA should they crack any DRM. There is no reason not to support this.

I can see one: it's been said that strict enforcement of a law is the quickest way to turn people against it. If people know that DRM is going to fuck them, going to be insecure because security researchers would be sued into oblivion for looking at it, perhaps they'll be more likely to resist it. I say if the W3C is going to support DRM, let them support the most horrible user-hostile DRM imaginable.

Security researchers should be encouraged to be searching for vulnerabilities in DRM and encryption in order to better protect us all.

Nope, let's not help the DRM purveyors "improve" their DRM. And since they're not acting in good faith with regards to the public—they're writing DRM after all—they shouldn't expect good faith from security researchers.

Any person having a gadget which can copy IS an enemy of those who produce content. Fundamental to copyright, why Constitution states "exclusive right" to control copies.

Since you don't agree that anyone should have an exclusive right to content merely because they spent the time and money to make it, nearly all of this piece on updating the mechanical means to protect it is your usual attempt to claim that content would be made at all without that exclusive right in law being applied to each new gadget, or system.

But "free as in beer" or advertising supported as Youtube is pretty much proven to not work. Doesn't look as though even Youtube is actually gaining money, but is subsidized. And its "stars" are literally killing themselves off now, so the future of homemade looks bleak. Youtube would collapse without the underlying support of content stolen from major producers. One can only stand Youtube amateurs like "Stevie Ryan" (who recently committed suicide, only reason I know name), until wanting professional (meaning large high-skill, high-cost team) drama, or at least BIG 'splosions, robots, super-heroes, and car chases.

Anyhoo, you say that wider use of specialized DRM would be okay, so why quibble about it in the new telescreen -- I mean HTML5 spec?

Will everyone be required to use this DRM? No, don't see how. Surely still be able to take video from your own gadget while girlfriend shoots through a book with 50 cal from a Desert Eagle -- another Darwin award winner who was doing it for Youtube -- now, that's entertainment -- and put it where anyone can download.

This is another version of your usual outrage that someone who made content has ability to control it and exclusively them get money from it.

You've been writing this same schtick for how many years now? Aren't you the least little bit dismayed that exactly none of the changes you foresaw with Napster, of FREE as in beer content everywhere on the net, are in place?

Re:

Any person having a gadget which can copy IS an enemy of those who produce content.

By this logic, anyone who fancies themselves a “content producer” can refer to the hundreds of millions of people who own or operate a smartphone, DVR, tablet, or personal computer as “enemies”. How does that make any goddamn sense to you?

Re: Re: "Any person having a gadget which can copy IS an enemy of those who produce content"

> Any person having a gadget which can copy IS an enemy of those who produce content.

Wait, not "anyone who copies copyrighted works", but "anyone who has a device which could copy"?

Yes, absolutely, if we're referring to the opinion of the "big copyright" content producers. See Sony v. Universal where they tried to kill the VCR, or Digital Audio Tape which they successfully killed.

Of course, essentially all "content" is copyrighted and nearly everyone produces it these days.

Re: Any person having a gadget which can copy IS an enemy of those who produce content. Fundamental to copyright, why Constitution states "exclusive right" to control copies.

Re: Any person having a gadget which can copy IS an enemy of those who produce content. Fundamental to copyright, why Constitution states "exclusive right" to control copies.

>This is another version of your usual outrage that someone who made content has ability to control it and exclusively them get money from it.

You obviously do not understand how DRM will work, the DRM owner will be the publisher, and take control, via copyright assignment,or work for hire contracts, of creators works before wrapping them in DRM. In other words DRM is a means whereby the middlemen can gain control of works created by other to their great profit, with a few crumbs given to the selected creators that they publish.

Re: Any person having a gadget which can copy IS an enemy of those who produce content. Fundamental to copyright, why Constitution states "exclusive right" to control copies.

Kind of curious how you figure no one is making any money off of Youtube advertising and how it is proven not to work when there are so many Youtube stars who got their start on Youtube and that is their main/only source of income.

Also, on Youtube not gaining money and being subsidized, got a source for that? Pretty sure it wouldn't exist if it wasn't making money on its own.

"I'll take my ball and go home, you just watch me!"

The underlying argument here is that certain content producers would effectively abandon the web without EME being in HTML5.

Definitely going to agree with the response to this in the article: So what?

If companies want to cut themselves off from such an amazing resource as the internet because they didn't get to have their DRM to 'protect' them baked into the core standard then let them leave, there are countless people and companies that would happily replace them. I imagine that much like those that threatened Google only to be de-listed as a result they'd come crawling back inside a month, after realizing that the only people they screwed over with their actions was them.

The proper response to someone throwing a tantrum and tossing out 'ultimatums' like that isn't to cave in, it's to call their bluff and refuse to give them what they want.

Re: Re: "I'll take my ball and go home, you just watch me!"

Re: Re: Re: "I'll take my ball and go home, you just watch me!"

They can. It helps that there are only 2 major phone platforms... but then there are 2 gaming platforms, 2 PC platforms, plus stuff like set-top boxes.

Still, if the browser vendors didn't give in, someone would have to write and maintain those apps. As DRM is basically pollution, the public shouldn't be paying the costs and helping them spread it; instead we should make them pay as much as possible, and hope they'll change their mind

Re: Re: "I'll take my ball and go home, you just watch me!"

It's not that they'd "leave the Internet", it's that they'd wall it off into a bunch of proprietary apps.

And watch their user/customer numbers take a not-insignificant hit as suddenly people found themselves needing to deal with a half a dozen or more different things in order to get what they had before. Make it too big of a hassle and I imagine more than a few would decide that they don't actually care enough to jump through the hoops and went elsewhere.

Re: Re: Re: "I'll take my ball and go home, you just watch me!"

I like to think you're right.

On the one hand, phones and tablets have proven that people are fine with downloading an app that's just a fucking browser with most of its features stripped out that can only visit one website. On the other hand, it's a mistake to assume that people are willing to accept the same behavior from their desktops that they are from their phones. (And that mistake is called Windows 8.)

Re: Re: "I'll take my ball and go home, you just watch me!"

It's not that they'd "leave the Internet", it's that they'd wall it off into a bunch of proprietary apps.

You mean like how they're instead walling off their content behind the inappropriately endorsed DRM provided by EME? Either way, the content's not properly accessible. If it's going to be inaccessible either way, I'd rather my browser not be carrying around EME code that security researchers cannot legally investigate to see how badly written it is.

Re: It's not that they'd "leave the Internet", it's that they'd wall it off into a bunch of proprietary apps.

We already went through that phase.

Before the Internet, there were the proprietary dialup services, e.g. Compuserve, Prodigy etc. They had content available nowhere else, and they charged accordingly. Where are they now?

Gone.

Then in the early days of the Web, several companies scoffed at the crude nature of HTML at the time, and put a lot of effort into their own proprietary, “superior” alternatives: remember Quark Immedia, or Microsoft’s Project Blackbird?

No, nobody else does either.

The lesson of history is clear: when it comes to a showdown between content and connectivity, connectivity wins. The Internet is all about connectivity. That’s why it wins.

Of course DRM is absolutely necessary!

It is absolutely essential that DRM, walled gardens, release windows, movies and TV shows that mysteriously appear and disappear on Netflix and the rest of it be maintained and strengthened.

How are we going to have robust, free, P2P file sharing sites if the media monopoly mafia suddenly makes their paid services as easy to use as a well-seeded torrent?

I have Amazon Prime, a streaming and DVD subscription to Netflix, and a cable-like internet-based TV service.

Yet often I will download something I see is available on my streaming services, because I had to watch it at 7:47 PM when it started but I was watching something else, or just want to make sure there are no annoying "buffering" interruptions ... thank you Comcast!

Or I want to make sure I can see it --or see some part of it-- away from Wi-Fi access, or just repeat a scene because I didn't hear it well (high-frequency hearing loss is a common side effect of the chemotherapy drug cisplatinum, but it beats the hell out of being dead).

People say it's "stealing" but I've already paid to watch it. All I'm doing is time-shifting and creating a reasonable accommodation for my physical limitations, given that I survived cancer and have gotten so old I'm on Medicare.

My one difference with Tim Berners-Lee is that he shouldn't allow it in HTML, because soon enough people will break it and then all you've done is junked up the protocol with tech that will be deprecated before the year is out.

Much better to let the media mafia stream it in an encrypted stream, and that way you can charge people for using an app at the client end to decode it (sort of like a virtual cable box). That way you can pay the app rental every month to remind you how fortunate you are that this monopoly has condescended to let you be their customer.

Sp promote free (as in freedom, even if it's also free like free beer) video on the internet by letting the media mafiosi cut off their own heads and hold them up to show there are no brains in there.

Re:

Re:

There are a couple of reasons.

One is that they're lying about the purpose of DRM. It's not to prevent copyright infringement; it's to prop up middlemen, and allow them to use DRM -- its legal implications, not its technical ones -- to lock customers into a monopoly and wholesalers into a monopsony.

Another is best described in Cory Doctorow's 2012 article, With A Little Help: Digital Lysenkoism. Basically, the engineers who write and support DRM know that shit doesn't work, but the bosses want it so the bosses get it.

Answer me this (everyone except Thad)

How does adding the provision of DRM to the html standard suddenly "break" anything? Can't sites that choose not to use DRM just keep going as always?

It's a serious quesiton, because the claims of "breaking" the internet always seem to come off as "taking away our free lunch". So I am open to hearing the real reasons why (without insults, thanks, it's a serious question).

Re: Answer me this (everyone except Thad)

The problem with DRM is that it means that the corporations need to control your devices to make it work, as otherwise it is easy to bypass. Further in means that they can run arbitrary opaque code on your devices which can be doing anything, and if you think that they will not use it to gather data on you you, and force adverts on you, you are sadly delusional. Just look at what they made unskippable on DVDs, anti piracy messages, and adverts for 'future' releases which get old rather quickly.

Re: Answer me this (everyone except Thad)

Re: Answer me this (everyone except Thad)

One thing i haven't seen mentioned, but another important one, never mind what those providing DRM might do: It's and increased bugload and an increased attack surface.

For something that does not belong in HTML standards at all, it is an awkward bolted-on thing from the start. The increased code in implementing the "standard" adds further complexity, and therefore, bugs and vulnerabilities. And this at a time when browser extensions are becoming less useful for anything serious because the API model is "too vulnerable". So square those two things. Add to that the exposure EME adds, never minding the horrible awful problems and security holes any actual DRM plugin provides. (And which may be installed or downloaded and installed silently.)

If I want to run your service, and you demand DRM, then provide me an installer or whatever. There is no particular use in it being a web "standard" - which will fluctuate and require constant fixes and updates, rendering previous browser versions (and probably OSes) "obsolete" by DRM standards, once they all figure out how crap their standard and implementations are in the real world. Whether it is because it breaks other things, introduces grave vulnerabilities, or because people will keep breaking their DRM. The EME spec will never be enough. Watch it "evolve" faster than any other part of W3C standards ever.

Also, you seem to think everyone who ever has a problem with any of these things does so because they want to infringe content. That's your problem. There are people with copyright concerns i can take seriously, and those who i cannot, and it is fairly clear why they have a concern: Either they want to have some comfort they will make a living from their hard work, or they are abusers or corporations that make an exorbitant living off other people's hard work while usually paying the creator little or nothing. That is, some have concerns in good faith, while others do not. Can you for a moment just imagine that at least some people who have issues with copyright and protections schemes have these concerns in good faith? People would engage more constructively with you. Unless you don't operate in good faith at all.

Re: Re: Re: Answer me this (everyone except Thad)

Much like disabling Flash, if you were to disable that DRM, you would disable everything that requires you to run said DRM. Disabling the DRM module that would allow you to watch Netflix, for example, would disable your access to Netflix. At that point you would have a rather hard decision to make: Run the DRM and watch Netflix in a compromised browser, or run a browser without any DRM modules installed and never watch Netflix again.

Re: Re: Re: Re: Answer me this (everyone except Thad)

Re: Re: Re: Re: Re: Answer me this (everyone except Thad)

You would compromise your broswer every time you run the DRM. Which would you rather have: the most secure browser possible, or a browser that you personally open up to attack each time you want to watch some Netflix?

Re: Re: Re: Re: Re: Re: Re: Answer me this (everyone except Thad)

Netflix would not be the problem. The DRM used by Netflix—DRM that might have security holes which could not be disclosed or even discovered by security researchers—would be the problem. And as others above have said, “apps” for services such as Netflix are actually one-site-only browsers customized for that service.

Which would you rather have: a browser that lessens your chances of a malware attack, or a browser that leaves your device open to malware by way of ineffective, shoddily-written, easily-cracked DRM that cedes control over part of your computer to the people who own and operate that DRM?

When has any form of DRM ever not had bugs? When has any form of DRM ever worked 100% consistently? When has any form of DRM never been cracked?

DRM cedes control of some part of your device to an outside party. It opens up your device to whatever holes can be exploited by malicious actors who have cracked the DRM and weaponized whatever holes they can create. I fail to see how opening up your device to that sort of security risk outweighs the benefits of being able to watch Netflix—especially since you can already watch Netflix without any extra DRM.

UNIX’s bugs can be researched and disclosed and fixed in a timely manner. No one has yet said the same about any DRM cooked into HTML5. And even if someone did, that assurance would still not explain why HTML5 needs DRM—especially when no DRM system has ever been effective in stopping piracy.

UNIX’s bugs can be researched and disclosed and fixed in a timely manner. No one has yet said the same about any DRM cooked into HTML5.

Especially given the refusal to provide an exception to security researchers that might otherwise find bugs in the DRM so they can be fixed. Without that explicitly spelled out any researcher is risking legal action if they try to pick apart the DRM in order to look for any bugs or exploits that could cause problems and/or be used by more nefarious individuals.

Yes, and the framework will be built into every Internet browser possible so that they all keep up with the same HTML5 standard. Only a relative handful of total Internet users will ever use a “non-compliant” browser. The rest of the Internet will use a browser that has those standards built into the code.

And if the DRM framework can be exploited, it will be exploited. So on top of being ineffective at stopping piracy, it will also open up millions of devices to hostile attacks from malicious actors. Why would you think any browser developer would want to make their browser less safe?

If you are worried about exploits, don't use the internet. The amount of code you have to use just to view this page, there is likely some bug in there somewhere that could delete your entire hard drive!

Seriously, a single framework is generally a whole lot better than piecemeal creation and re-creation of unchecked and untested individual hacks to get DRM to "work". By your logic, everything beyond the basic html 1.0 tags is too exotic and risky to use.

That's as nonsensical as saying 'If you're worried about car safety, don't drive'. It is entirely possible to point out that a planned change is unneeded and/or likely to be detrimental without jumping to the extreme of abandoning what's to be changed entirely.

The amount of code you have to use just to view this page, there is likely some bug in there somewhere that could delete your entire hard drive!

... And cause your car to explode, your house to catch fire, and a hurricane to flatten your town, don't forget those 'possible side-effects' too.

That there's already a lot of code involved in a 'simple' page does not mean adding more code, code designed to make it easier to add in additional code specifically designed to take away control of your browser to varying degrees magically becomes no big deal.

Seriously, a single framework is generally a whole lot better than piecemeal creation and re-creation of unchecked and untested individual hacks to get DRM to "work".

Well there's your problem/misconception: Unless your goal is to screw over paying customers and/or make things worse for them, DRM has not, and likely never will, 'work'. That browsers will have an easy way to add in any number of different takes on it is not likely to change that, but it is likely to result in even more companies/sites jumping on the 'let's screw our customers/visitors with DRM' bandwagon and spread the 'joy' of DRM even further.

Still not feeling it. Your objections seem entirely based on the theory that adding support for any extension in the HTML5 standards is a bad idea.

The truth is you consider DRM to be some sort of death sentence for the internet. Yet, I haven't seen or read anything here that explains it. Rather than going off on a soft of general "DRM sucks" rant, can you perhaps explain what specifically you think is suddenly going to break if DRM is (optionally) available to be supported in the HTML5 standards, no different from a whatever is currently replacing flash?

Your objections seem entirely based on the theory that adding support for any extension in the HTML5 standards is a bad idea.

Again with that strawman? Seriously, if you're actually interested in a conversation stop strawmaning the positions of people that reply to you. Continuing to do so just indicates that you're not interested in an honest discussion, despite any claims to the contrary, and as such it's a waste of time to respond to you.

'Any' extension? No, if something is being added for a good reason, like to make things more secure, and it can be properly vetting by people to check that it is secure then I wouldn't really have a problem with it.

Built-in support for extensions that cannot be vetted, that by design are intended to take control away from the user to varying degrees and that historically have never worked and have screwed over legitimate customers while the ones intended to be hit carry on just fine? Yeah, that I have a problem with.

Seriously, if you're actually interested in a conversation stop strawmaning the positions of people that reply to you. Continuing to do so just indicates that you're not interested in an honest discussion, despite any claims to the contrary, and as such it's a waste of time to respond to you.

Let's also remember - this is the same guy who rants about Google and complains about how a lot phones run Android, therefore: MONOPOLY. But for some reason he can't jailbreak or run another OS or just flat out not use Android phones.

Yet he expects the only permitted solution for avoiding DRM exploits in HTML5 to be "don't use the Internet".

Each actual DRM module will be developed by the smallest team possible, and under conditions of maximum secrecy, as those who desire the use of DRM are paranoid about it being broken. This is guaranteed recipe for building in security flaws, and hiding code that are not related to DRM, but rather taking control over the users machines. The Sony Rootkit was not an aberration, but rather a clumsy attempt to achieve what the Proponents of DRM desire, total control over end user machines.

Re: Re: Answer me this (everyone except Thad)

Okay, I take the point that DRM has been a bit all over the road in the past. However, that is in no small part because it's been all non-standard. Standards by their definition improve things dramatically.

I would also say that browsers, OSes, and various web serving platforms all have bugs and all need patching. You are way more likely to get a virus on your computer by opening a bad or fake PDF file. Should we ban PDFs?

Good faith means to me working with standards. Adding DRM in a standard implementation rather than a series of patches, installers, and bloatware that would work in an entirely different fashion for every website. The more variation you have at that level, the more likely that one or more of them will be a failure and will instead root kit your machine or open a back door so big... insert Ron Jeremy joke here.

So, beyond that, you still really didn't answer the question: What is suddenly "broken" if DRM is added to HTML? Remember, nobody is going to force web developers to use it. So what is suddenly magically broken?

Re: Re: Re: Re: Answer me this (everyone except Thad)

Re: Re: Re: Answer me this (everyone except Thad)

This is not a standard form of DRM, but rather a standard framework to allow content providers to insert their own DRM system into a browser, worse this allows the decoder software to be loaded when a stream is opened. Consider this proposal to be a sandbox in which DRM software will run, and like all sandboxes it will fail to fully contain its contents.

Besides which at heart DRM is incompatible with the user having any control over their own hardware, as otherwise screen recorders etc. will defeat it totally.

If you dont want unauthorised people viewing your shit, dont put it into the public stratosphere

Money dictating the privelaged few who can view every public arts if they so chose.......expanding the divide between those with a higher percentage of a nations/global wealth, and those that get by from paycheck to paycheck

Any time the MAfiAA is involved it IS about M.O.N.E.Y. they're clearly throwing it at him like it's buckets of water since it is 1) against his convictions 2)not being open and transparent about it and refusing to discuss any of it.

Re:

No. He is a coward, plain and simple. Physical courage isn't hard to find, it is abundant amongst us humans. Moral courage however is much rarer. TBL just proved he lacks any semblance of moral courage and should no longer be in charge of anything, let alone W3C. He just agreed to screw over billions of fellow humans, and for what? Hmmmm. I wonder if this proposal violates the ECHR?

Re: Re:

perhaps us guys that helped get communicator 5 out ought to gather up and SHOUT NO DRM

perhaps us guys that helped get communicator 5 out ought to gather up and SHOUT NO DRM

thing is of the 60 or so of us only like 20 were not companies or corporations....

funny part is i still ahve my complete copy of communicator 5all way back the netscape 3 gold

firefox is getting less useful every day as i dont upgrade

g+ wont let me share my images no moreneither will facebook ( for people to download and use as they wish)

the entire web is walling itself off and im sick of it....

remember folks supporting facebook, google plus microsft and twitter are all now aligned with drm and the nsa and federal agencies that are dead set against anyone having freedom anymore on the net....they use the words terrorism when there are no cases terrorists use it(encryption) and in decade all the fun i had and friends i met will be walled off from me....and YOU.

I can see a time perhaps 5-10 after that when people jsut turn away form it cause its just the way everything in your commercials on cable are shoved at you that the promise of cable was there was not to be any....

i havent had cable tv since 96....good luck everyone ....im old now and they want us all ot just die and go away ....

Re: perhaps us guys that helped get communicator 5 out ought to gather up and SHOUT NO DRM

If they want you all to die and go away I'd say that represents a clear and present threat to your survival, no? There's usually something that always happens when such a group feels that backed into a corner...

Pragmatism, vs. folding up and crawling into a corner.

Depends what you want the web to be. Some want it to just work. And what's that going to cost?

Others just want it to just work, and how much can we get from that?

I think they're both expecting more than they should be. Square pegs, round holes; nothing new here. If they wanted it to work their way, they should have built their own. They'll never be satisfied by a generic, provided, standards compliant version.